I've been reading about these recently. Have any of you encountered one in your work? if so, how did you detect it? and what were its capabilities? thanks
To be more inclusive, do not forget about UEFI and similar implementations.
Rarely "detected" them in the usual sense, based on indicative behavior. There is more like an audit requirement or a suspicion, and then you work your way up from the hard disk to any other storage in the device or connected to it. That is inevitable, because the development is relatively expensive. So the owners make sure that the software comes to life only in exceptional cases (characteristic for persistence modules) or operates indistinguishable from the untampered version (cryptographic weakening). I'd say those are also the main use cases.